Authorize DestroyPipelineService against pipeline

2018-11-13 17:17:01 +01:00 · 2018-11-13 17:17:01 +01:00 · 0bc14b4522
commit 0bc14b4522
parent 6173d4639a
5 changed files with 25 additions and 4 deletions
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@ -16,6 +16,10 @@ module Ci
      enable :update_pipeline
    end

+    rule { can?(:owner_access) }.policy do
+      enable :destroy_pipeline
+    end
+
    def ref_protected?(user, project, tag, ref)
      access = ::Gitlab::UserAccess.new(user, project: project)

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@ -144,7 +144,6 @@ class ProjectPolicy < BasePolicy
    enable :destroy_merge_request
    enable :destroy_issue
    enable :remove_pages
-    enable :destroy_pipeline

    enable :set_issue_iid
    enable :set_issue_created_at
--- a/app/services/ci/destroy_pipeline_service.rb
+++ b/app/services/ci/destroy_pipeline_service.rb
@ -3,11 +3,11 @@
 module Ci
  class DestroyPipelineService < BaseService
    def execute(pipeline)
-      return false unless can?(current_user, :destroy_pipeline, project)
+      return false unless can?(current_user, :destroy_pipeline, pipeline)

      AuditEventService.new(current_user, pipeline).security_event

-      pipeline.destroy
+      pipeline.destroy!
    end
  end
 end
--- a/lib/api/pipelines.rb
+++ b/lib/api/pipelines.rb
@ -89,7 +89,7 @@ module API
        requires :pipeline_id, type: Integer, desc: 'The pipeline ID'
      end
      delete ':id/pipelines/:pipeline_id' do
-        authorize! :destroy_pipeline, user_project
+        authorize! :destroy_pipeline, pipeline

        destroy_conditionally!(pipeline) do
          ::Ci::DestroyPipelineService.new(user_project, current_user).execute(pipeline)
--- a/spec/policies/ci/pipeline_policy_spec.rb
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@ -74,5 +74,23 @@ describe Ci::PipelinePolicy, :models do
        expect(policy).to be_allowed :update_pipeline
      end
    end
+
+    describe 'destroy_pipeline' do
+      let(:project) { create(:project, :public) }
+
+      context 'when user has owner access' do
+        let(:user) { project.owner }
+
+        it 'is enabled' do
+          expect(policy).to be_allowed :destroy_pipeline
+        end
+      end
+
+      context 'when user is not owner' do
+        it 'is disabled' do
+          expect(policy).not_to be_allowed :destroy_pipeline
+        end
+      end
+    end
  end
 end